Have server enforce SSH zone separation

When a client requests a zone's ssh credentials, make sure the client is consistent with the specified zone. Per github user salben21
2025-05-21 19:22:05 +00:00 · 2022-09-09 12:59:37 -04:00 · 2022-09-09 12:59:37 -04:00 · 85149c37f4
commit 85149c37f4
parent fa6b7bdf9e
1 changed files with 21 additions and 5 deletions
--- a/xCAT-server/lib/xcat/plugins/credentials.pm
+++ b/xCAT-server/lib/xcat/plugins/credentials.pm
@ -133,18 +133,34 @@ sub process_request
        my $sshrootkeydir    = "$root/.ssh";    # old default
        if ((($parm =~ /^ssh_root_key/) || ($parm =~ /^ssh_root_pub_key/)) && ($foundkeys == 0)) {
            my ($rootkeyparm, $zonename) = split(/:/, $parm);
+            my $client_zonename = xCAT::Zone->getmyzonename($client);
+            my $default_zonename = xCAT::Zone->getdefaultzone();
+            
            if ($zonename) {
                $parm = $rootkeyparm;           # take the zone off
                xCAT::MsgUtils->trace(0, 'I', "credentials: The node ($client) is asking for sshkeys of zone: $zonename.");
-                $sshrootkeydir = xCAT::Zone->getzonekeydir($zonename);
-                if ($sshrootkeydir == 1) {      # error return
-                    xCAT::MsgUtils->trace(0, 'W', "credentials: The zone: $zonename is not defined.");
+                if ($client_zonename eq $zonename) {
+                    my $sshbetweenodes_allowed = xCAT::Zone->enableSSHbetweennodes($client);
+                    if (($sshbetweenodes_allowed == 1) || ($parm =~ /^ssh_root_pub_key/)) { # check if sshbetweennodes is allowed or pub key is requested
+                        $sshrootkeydir = xCAT::Zone->getzonekeydir($zonename);
+                        if ($sshrootkeydir == 1) {    # error return
+                            xCAT::MsgUtils->trace(0, 'W', "credentials: The zone: $zonename is not defined.");
+                        } else {
+                            $foundkeys = 1; # don't want to read the zone data twice
+                        }
+                    } else {
+                        xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key because sshbetweennodes is disabled.");
+                        $sshrootkeydir = 1;
+                    }
                } else {
-                    $foundkeys = 1;    # don't want to read the zone data twice
+                    xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key of different zone.");
+                    $sshrootkeydir = 1;
                }
+            } elsif ($client_zonename ne $default_zonename) { # check if no zonename is submitted but node is not in default zone
+                xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key of default zone.");
+                $sshrootkeydir = 1;
            }
        }
-
        if ($parm =~ /ssh_root_key/) {
            unless (-r "$sshrootkeydir/id_rsa") {
                push @{ $rsp->{'error'} }, "Unable to read root's private ssh key";